Enterprise Recon 2.11.1

How to Perform Delegated Remediation

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following topics:

Overview

As the process for remediating sensitive data locations often involves multiple steps and parties, the ability to delegate the remediation task is necessary for an effective compliance program. This becomes particularly evident in large organizations where a single scan can result in millions of sensitive data matches across a huge number of locations, which would be overwhelming for a single user to review and remediate.

With Delegated Remediation, an Enterprise Recon user can easily delegate the task to remediate match locations across multiple Targets to another user. This helps organizations streamline the remediation workflow to achieve flexibility and scalability in its compliance efforts.

For more information, see Remedial Actions in ER2.

Requirements

Requirements Description
License Enterprise Recon PRO license.
Master Server Version 2.3.1 and above.
Message Transfer Agent (MTA) At least one MTA must be configured to enable email notifications to be sent to delegatees of a remediation task. See Mail Settings for more information.
Delegator

A user with Global Admin or Remediate resource permissions can delegate remediation tasks for all locations which the delegator has Remediate permissions to.

The remediation actions that can be delegated are limited by the type of Remediation permissions assigned to the delegator's account.

Delegatee
  • Remediation tasks can be delegated to:
    • Any ER2 user, and
    • Active Directory (AD) users. This requires Active Directory to be configured in ER2.

    Delegated remediation can be done regardless of the delegatee's existing user account permissions.

  • Remediation tasks can only be delegated to user accounts with an associated email address.

Delegating Remediation for Sensitive Data Locations

A user with Global Admin and Remediate resource permissions can delegate the remediation of sensitive data locations to another user from the Investigate page. Using the Target and location filters, the delegator can simplify the Investigate results grid view to easily select multiple match locations for delegated remediation. For example, use the Metadata filter to only display locations that belong to a specific document owner.

To delegate a remediation task to another user:

  1. Log in to the ER2 Web Console.
  2. Go to Investigate.
  3. (Optional) Select one or more filters in the Filter Locations by panel and click Apply Filter to display Targets and match locations that fulfill specific criteria in the results grid.
  4. Select the Targets and match locations to be assigned for delegated remediation.

  5. Click Delegate and fill in the following fields in the Delegate Remediation dialog box:

    Field Description
    Delegate to Select a user to delegate the remediation task to.
    Subject

    (Optional) Enter a descriptive email subject to be used for the notification email.

    To change the default subject for the notification email, see Managing the Delegated Remediation Task Settings.

    Note

    (Optional) Enter a custom message for the notification email.

    To change the default message for the notification email, see Managing the Delegated Remediation Task Settings.

    Action Required Select the remediation actions that can be performed by the delegatee on the match locations. See Remedial Actions in ER2 for more information.
    The delegator can only assign remediation actions for which his account has explicit Remediate resource permissions for.
  6. Click Delegate to confirm the delegation task. Once confirmed, a notification email with a link to the delegated remediation task will be sent to the delegatee.

In the Investigate results grid, the "Delegated" status will be displayed in the Delegation column if there is at least one active delegated remediation task associated with the match location.

To check the status and progress of delegated remediation tasks that have been assigned by and assigned to the current user account, see Checking the Status of Delegated Remediation Tasks.

Managing the Delegated Remediation Task Settings

You can customize the default contents of the notification email that is sent to the delegatee, and the default link expiration date for delegated remediation tasks.

The message in the notification email can be customized to provide useful information to let the delegatee know how to proceed, or any specific action that is required for the delegated remediation task.

You must have Global Admin or System Manager permissions to modify the default email subject and message, and the validity period of the delegated remediation task.

  1. Log in to the ER2 Web Console.
  2. On the Settings > Remediation > PRO Settings page, go to the Delegated Remediation Email section.
  3. Click on Edit to customize the following fields for the delegated remediation task:

    Setting Description
    Subject Subject header for the notification email sent to the delegatee of a delegated remediation task. The character limit for the text is 200.
    Message Content of the notification email. The character limit for the text is 1000.
    Link Expiry Set the validity period for the delegated remediation task and link. For example, if set to 14, the delegated remediation task and link will expire automatically 14 days from the date and time when the task was created, unless expired manually.
  4. Once done, click on Save. The new settings will be applicable for future delegated remediation tasks.

Checking the Status of Delegated Remediation Tasks

The Tracker page provides a view of all remediation tasks that have been delegated to the current user by other users, and vice-versa.

To view the status of delegated remediation tasks:

  1. Log in to the ER2 Web Console.

    Field Description
    Enter Your Username

    Enter your ER2 or Active Directory (AD) user name.

    Example: john.doe

    Enter Your Password

    Enter your ER2 or AD password.

    Example: myPa$$w0rd

    <Active Directory Domain>

    Select your AD domain; only applicable for users logging in with AD credentials. Otherwise, select "No domain".

    Example: example.com

  2. Go to Tracker.
  3. In the Tracker page, click on:
    • Delegated to others to view the remediation tasks assigned by the current user to other users.
    • Delegated to me to view the remediation tasks assigned to the current user by other users.
    Column Description
    Delegated to User name of the delegatee of the remediation task. Only displayed in the Delegated to others tab.
    Delegated by User name of the delegator of the remediation task. Only displayed in the Delegated to me tab.
    Filter Applied List of filters that were applied to the match results set in the Investigate page when the delegated remediation task was created.
    Delegated on Date and time when the delegated remediation task was created.
    Link Expiration Expiry date and time for the delegated remediation task. Delegated remediation tasks expire automatically a certain number of days from the date and time when the task was created, unless expired manually. See Managing the Delegated Remediation Task Settings for more information.
    Delegated Locations Total number of Targets or Target locations selected for the delegated remediation task.
    Remediated Locations "x/y" where:
    • x is the total number of Target locations that have been remediated (by any user), and
    • y is the total number of Target locations assigned for the delegated remediation task.
    Partially masked Targets or Target locations do not count towards the total number of remediated locations (x).
    Link status Status of the delegated remediation task.
    • Active - Indicates that the delegated remediation task is still active and not all locations have been remediated.
    • Expired - Indicates that the delegated remediation task has expired. Delegated remediation tasks expire automatically four weeks (28 days) from the date and time when the task was created.
    • Expired Manually - Indicates that the delegated remediation task was expired manually by the delegator.
  4. (Optional) Use one or more filters in the Filter by… panel to show specific delegated remediation tasks.
  5. Hover over a task and click on the view Tracker view icon. icon to view the list Targets and match locations included in the delegated remediation task. See Reviewing and Remediating Locations for more information.

Trash

You can use the Trash function to remove active or expired delegated remediation tasks. When a delegated remediation task is trashed:

  • The corresponding task(s) will be removed from the Tracker page for both the delegator and delegatee.
  • The link for any active delegated remediation task will automatically become invalid.

To delete an active or expired delegated remediation task:

  1. (Optional) In the Tracker page, go to the Delegated to others tab. Select one or more filters in the Filter Locations by panel to display specific delegated remediation tasks.
  2. Select the delegated remediation tasks and click the Trash button Trash button to remove selected delegated remediation tasks. to delete. Otherwise click Cancel to cancel the operation.

Reviewing and Remediating Locations

The Locations To Be Remediated page displays the list of match locations to be remediated for a delegated remediation task.

To review and remediate a match location:

  1. Log in to the ER2 Web Console.
    Field Description
    Enter Your Username

    Enter your ER2 or Active Directory (AD) user name.

    Example: john.doe

    Enter Your Password

    Enter your ER2 or AD password.

    Example: myPa$$w0rd

    <Active Directory Domain>

    Select your AD domain; only applicable for users logging in with AD credentials. Otherwise, select "No domain".

    Example: example.com

  2. Go to the Locations To Be Remediated page.
    • Click on the Link to remediate in the notification email for the delegated remediation task and log in to the ER2 Web Console, or
    • Log in to the ER2 Web Console. In the Tracker page, hover over a task and click on the view Tracker view icon. icon.
  3. Click on a match location to bring up the Match Inspector to review the list of sensitive data matches for the match location.
  4. Select the Targets and match locations you want to remediate.
  5. Click Remediate and select one of the following actions:

    Remediation Remedial Actions
    Act directly on selected location
    • Mask all sensitive data - Masks all found sensitive data in the match location with a static mask.

    • Quarantine - Moves the files to a secure location you specify and leaves a tombstone text file in its place.

    • Delete Permanently - Securely deletes the match location (file) and leaves a tombstone text file in its place.

    • Encrypt file - Secures the match location using an AES encrypted zip file.

    See Act Directly on Selected Location for more information.

    Mark locations for compliance report
    • Confirmed - Marks selected match location as "Confirmed". The location has been reviewed and found to contain sensitive data that must be remediated.
    • Remediated manually - Marks selected match location as "Remediated Manually". The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless.
    • Test Data - Marks selected match location as "Test Data". The location contains data that is part of a test suite, and does not pose a security or privacy threat.
    • False Match - Marks selected match location as a "False Match". The location is a false positive and does not contain sensitive data.

    See Mark Locations for Compliance Report for more information.

    Remedial actions taken in the Locations To Be Remediated page are applied to specific data types if any data type filters were selected when the delegated remediation task was created.

    For example, "File A" has one Personal Names (English) and two Visa matches. Only Visa matches will be remediated if Visa is the only data type filter that was selected when the delegated remediation task was created. See Checking the Status of Delegated Remediation Tasks for the list of filters that were applied for the delegated remediation task.

  6. Enter a name in the Sign-off field.
  7. Enter an explanation in the Reason field.
  8. Click Ok.
Missing list of locations?

For an active delegation task, the list of match locations in the Locations To be Remediated page may be empty if:

  • All match locations were deleted from the Target, or
  • All match locations were fully remediated.

See Remedial Actions in ER2 - Act Directly on Selected Location for more information.

Expiring A Delegated Remediation Task

Delegated remediation tasks expire automatically a certain number of days from the date and time when the task was created, or can be expired manually by the delegator.
When a delegated remediation task expires, the link and Locations To Be Remediated page for the delegated remediation task will no longer be accessible.

To manually expire a delegated remediation task:

  1. Log in to the ER2 Web Console.
  2. Go to Tracker.
  3. Click on Delegated to others to view the remediation tasks assigned to other users.
  4. (Optional) Use one or more filters in the Filter by… panel to show specific delegated remediation tasks.
  5. Select one or more active delegated remediation tasks and click Expire Link.
  6. In the Expire Link dialog box, click Expire to manually expire the links for the selected delegated remediation tasks. Otherwise click Cancel to cancel the entire operation.